register: function(req, res){
var body = req.body;
if(!body.username || !body.password){
res.status(400).end('Must provide user name and password');
}
// we prevent XSS by filtering the data
var filteredUsername = xssFilters.inHTMLData(body.username);
var filteredPassword = xssFilters.inHTMLData(body.password);
// create a user and use bCrypt to hash the password
var new_user = new User({username: filteredUsername, password: createHash(filteredPassword)});
new_user.save()
.then(function success(user){
// if the user saves successfully we will create a jwt
var token = jwt.sign(
{
_id: user._id,
username: user.username
},
jwtSecret,
{expiresIn: 86400}
);
// and send that token back to the client
res.send({
token: token,
user: {_id: user._id, username:user.username, logged_in: true}
});
})
.then(function error(err){
console.log(err);
res.status(500).end("Internal Server Error");
})
},
customEvent.prototype.addEvent = function(event)
{
var tempObj = {};
for(var property in event){
if (event.hasOwnProperty(property))
{
if(property === "startDate")
{
tempObj[property] = Date(event[property]);
}
else if(property === "category")
{
var tempCat = [];
tempCat.push(xssFilters.inHTMLData(event[property][0]));
tempCat.push(xssFilters.inHTMLData(event[property][1]));
tempObj[property] = tempCat;
}
else
{
tempObj[property] = xssFilters.inHTMLData(event[property]);
}
}
}
this.events.push(tempObj);
};
app.post('/register', validateRegistration, function(req, res){
console.log('registering');
var body = req.body;
console.log(body);
var filteredFirstName = xssFilters.inHTMLData(body.first_name);
var filteredLastName = xssFilters.inHTMLData(body.last_name);
var filteredEmail = xssFilters.inHTMLData(body.email);
var filteredPassword = xssFilters.inHTMLData(body.password);
var new_user = new User({first_name: filteredFirstName, last_name: filteredLastName, email: filteredEmail, password: createHash(filteredPassword)});
new_user.save()
.then(function success(user){
console.log('user saved properly');
var token = jwt.sign(
{
_id: user._id,
email: user.email
},
jwtSecret,
{expiresIn: 86400}
);
res.json({
token: token,
user: {_id: user._id, email: user.email, logged_in: true}
});
}, function error(err){
console.log('error on the server', err);
res.status(500).json({status: "Internal Server Error"});
})
});
function userTemplate(name, avatar) {
let safeName = xss.inHTMLData(name);
let safeAvatar = xss.inHTMLData(avatar);
return `<div class='active-avatar'>
<img width="54" src="assets/images/${safeAvatar}" />
<h5 class='post-author'>${safeName}</h5>
</div>`;
}
router.post('/return', function(req, res, next) {
var recordIns = {
book_id: xssFilters.inHTMLData(req.body.book_id),
card_id: xssFilters.inHTMLData(req.body.card_id)
};
book.query({book_id: recordIns.book_id}, function(err, rows, fields) {
if (err) {
res.json(err);
}
if (rows.length === 0) {
res.json({
err: true,
msg: 'No such books'
});
return;
}
card.query(recordIns.card_id, function(err, rows, fields) {
if (err) {
res.json(err);
}
if (rows.length === 0) {
res.json({
err: true,
msg: 'No such card'
});
return;
}
record.query(recordIns, function(err, rows, fields) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
}
if (rows.length === 0) {
res.json({
err: true,
msg: 'Haven\'t borrowed this book'
});
return;
}
record.delete(recordIns, function(err, result) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
} else {
res.json({
err: false,
result: result
});
}
});
});
});
});
});
app.put('/edit-task/:task_id', ensureAuthenticationAPI, function(req, res) {
// Put request to update a task
// Getting the data
var task_name = xssFilters.inHTMLData(req.body.task_name),
task_desc = xssFilters.inHTMLData(req.body.task_desc),
task_due_date = xssFilters.inHTMLData(req.body.task_due_date),
task_id = req.params.task_id;
// Validating the data
if (validator.isNull(task_name) || validator.isNull(task_desc) || validator.isNull(task_due_date)) {
// Not all filled in
res.json({
stat: 0,
str: "You must fill out all fields!"
});
} else if (!validator.isLength(task_name, vali_str_opt) || !validator.isLength(task_desc, vali_str_opt)) {
// Not long enough!
res.json({
stat: 0,
str: "Description and name must be longer than " + vali_str_opt.min + " characters"
});
} else if (!moment(task_due_date, ["MM-DD-YYYY"]).isValid()) {
// Date is not valid
res.json({
stat: 0,
str: "Date is invalid"
});
} else {
var task_update_model = {
task_name: task_name,
task_desc: task_desc,
date_due: task_due_date
}
// Updating the database
db.query("UPDATE tasks SET ? WHERE set_by_id = ? AND tasks.id = ?", [task_update_model, req.user.id, task_id], function(err, result) {
// Check response
if (err) throw err;
if (result.affectedRows < 1) {
// Nothing updated
res.json({
stat: 0,
str: "You don not have persmission to edit this task"
});
} else if (result.affectedRows > 0) {
res.json({
stat: 1
});
}
});
}});
router.post('/register', [helpers.getCoupon,verifyCanRegister], function (req, res) {
// If they presented a coupon but the coupon does not exist then send an error
if (!req.coupon && req.body.coupon) {
helpers.sendJSONResponse(res, 400, {
'error': 'Invalid Coupon'
})
return
}
if (req.coupon && !req.coupon.valid) {
helpers.sendJSONResponse(res, 400, {
'error': 'Coupon is no longer valid'
})
return
}
var user = new User()
user.name = xssFilters.inHTMLData(req.body.name)
user.email = xssFilters.inHTMLData(req.body.email).toLowerCase();
user.signupip = helpers.getIpAddress(req)
user.setPassword(req.body.password)
if (req.coupon) {
user.couponcode = xssFilters.inHTMLData(req.coupon.id)
}
if (req.coupon && req.coupon.valid) {
var clientCoupon = {}
clientCoupon['amount_off'] = req.coupon.amount_off
clientCoupon['percent_off'] = req.coupon.percent_off
if (req.coupon.percent_off === 100) {
vip.createVIPMembership(user, req, res)
return
}
}
stripe.customers.create({email: user.email}, function (stripeerr, customer) {
if (stripeerr) {
helpers.sendErrorResponse(res, 500, 'User could not be created')
return
}
user.customerid = customer.id
user.save(function (err) {
if (err) {
console.log()
helpers.sendErrorResponse(res, 500, "This email has already been taken. <a href='#' data-modal='login-modal'>Login</a> if it's yours")
} else {
email.sendInitialEmail(user, function () {
helpers.sendUpdateCookie(res, user, {
status: 'success',
coupon: clientCoupon
})
})
}
})
})
})
router.get('/index.php', function (req, res, next) {
//router.get('/', require('connect-ensure-login').ensureLoggedIn(), function(req, res, next) {
if (req.user) {
// maybe something was overlooked
req.user.name = xssFilters.inHTMLData(req.user.name);
req.user.email = xssFilters.inHTMLData(req.user.email);
req.user.is = xssFilters.inHTMLData(req.user.id);
res.render('dash', {title: 'Express with Passport Local Strategy Login', user: req.user});
}else{
res.render('frontpublic', {title: 'Express with Passport Local Strategy Login'});
}
});
function articleTemplate(title, lastReply) {
let safeTitle = xss.inHTMLData(title);
let safeLastReply = xss.inHTMLData(lastReply);
return `<article class='post'>
<h2 class='post-title'>
${safeTitle}
</h2>
<p class='post-meta'>
${safeLastReply}
</p>
</article>`;
}
app.post('/save-class', ensureAuthenticationAPI, function(req, res) {
// Getting the form data
var class_name = xssFilters.inHTMLData(req.body.class_name);
// Validating the information
if (validator.isNull(class_name)) {
// No name given
res.json({
stat: 0,
str: "You must fill out all fields in the form"
});
} else if (!validator.isLength(class_name, vali_str_opt)) {
// Not long enough!
res.json({
stat: 0,
str: "Your organisation name must be longer than " + vali_str_opt.min + " characters"
});
} else {
// All good! Create the class model
var class_model = {
id: null,
owner_id: req.user.id,
class_name: class_name
}
db.query('INSERT INTO classes SET ?', class_model, function(err, result) {
// Checking if was added successfully
if (err) throw err;
res.json({
stat: 1,
})
});
}});
deck.whiteCards = _.map(deckData.whiteCards, function (text) {
text = xssFilters.inHTMLData(text);
var card = {id: deck.id + (cardId++), text: text, watermark: deck.watermark};
card.toJSON = function () {
return card;
};
return card;
});
user.getUserInfo(req.session.uid, function(err, data){
if(err){
console.log(err)
res.sendStatus(401);
} else {
var usernameFiltered = xssFilters.inHTMLData(data.username);
res.render('profile/profile', {
params: {
username: usernameFiltered,
email: xssFilters.inHTMLData(data.email),
avatar: data.avatarPath,
usergroup: data.usergroup
}
}, function(err, html){
res.send(responseObject.generateResponseObject('<i class="fa fa-pencil-square-o"></i> ' + usernameFiltered + ''s Profile', html));
});
}
});
finalist.save(function(err) {
if (err)
res.json({ type: false, data: "Error occured: " + err });
// update finalist by request id and insert user submission
Finalist.findByIdAndUpdate(
xssFilters.inHTMLData(req.body.fid),
{$push: {"voters": {name: xssFilters.inHTMLData(req.body.name),
ic: xssFilters.inHTMLData(req.body.ic),
phone: xssFilters.inHTMLData(req.body.phone),
email: xssFilters.inHTMLData(req.body.email),
slogan: xssFilters.inHTMLData(req.body.slogan),
ans1: xssFilters.inHTMLData(req.body.ans1),
ans2: xssFilters.inHTMLData(req.body.ans2),
facebookID: xssFilters.inHTMLData(req.body.fbid),
date: new Date(),
subscribe: xssFilters.inHTMLData(req.body.subscribe)}}},
{safe: true, upsert: true, new : true},
function(err, model) {
if (err)
res.json({
type: false,
data: "Error occured: " + err
});
var userModel = new UserVoted();
userModel.fbid = xssFilters.inHTMLData(req.body.fbid);
userModel.save(function(err, user) {
res.json({
type: true,
data: 'Vote Updated!',
});
})
}
);
//res.json({ type: true, data: 'Vote Updated!' });
});
router.delete('/card', function(req, res, next) {
var validatedId = xssFilters.inHTMLData(req.body.id);
if (!validatedId) {
res.json({
err: true,
msg: 'Invalid Card ID'
});
return;
}
card.query(validatedId, function(err, rows, fields) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
return;
}
if (!rows.length) {
res.json({
err: true,
msg: 'No such card'
});
}
record.query({card_id: validatedId}, function(err, rows, fields) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
return;
}
if (rows.length) {
res.json({
err: true,
msg: 'Please return all books first'
});
return;
}
card.delete(validatedId, function(err, result) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
} else {
res.json({
err: false,
msg: result
});
}
});
})
});
});
router.post('/book', function(req, res, next) {
var bookIns = {
book_id: xssFilters.inHTMLData(req.body.id),
category: xssFilters.inHTMLData(req.body.category),
title: xssFilters.inHTMLData(req.body.title),
press: xssFilters.inHTMLData(req.body.press),
year: isNaN(validator.toInt(req.body.year)) ? 0 : validator.toInt(req.body.year),
author: xssFilters.inHTMLData(req.body.author),
price: isNaN(validator.toFloat(req.body.price)) ? 0.00 : validator.toFloat(req.body.price),
total_quantity: isNaN(validator.toInt(req.body.total)) ? 1 : validator.toInt(req.body.total)
};
book.query({book_id: bookIns.book_id}, function(err, rows, field) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
return;
}
if (rows.length) {
res.json({
err: true,
msg: 'Book ID Conflict'
});
return;
}
book.add(bookIns, function(err, result) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
} else {
res.json({
err: false,
msg: result
});
}
});
});
});
/**
* sanitize contact form data
*
* @param {object} contact form data
*
* @return {object} sanitized data
*
*/
function sanitizeInput(data) {
debug('sanitizing request')
return {
company: xssFilters.inHTMLData(data.company)
, contactType: xssFilters.inHTMLData(data.contactType)
, email: xssFilters.inHTMLData(data.email)
, fName: xssFilters.inHTMLData(data.fName)
, message: xssFilters.inHTMLData(data.message)
, name: xssFilters.inHTMLData(data.name)
, phone: xssFilters.inHTMLData(data.phone)
, trg: xssFilters.inHTMLData(data.trg)
}
}
router.get('/book', function(req, res, next) {
book.query({
book_id: xssFilters.inHTMLData(req.query.id || ''),
category: xssFilters.inHTMLData(req.query.category || ''),
title: xssFilters.inHTMLData(req.query.title || ''),
press: xssFilters.inHTMLData(req.query.press || ''),
author: xssFilters.inHTMLData(req.query.author || ''),
year: {
from: validator.toInt(req.query.from_year),
to : validator.toInt(req.query.to_year)
},
price: {
from: validator.toFloat(req.query.from_price),
to: validator.toFloat(req.query.to_price)
},
sort_by: xssFilters.inHTMLData(req.query.sort_by || ''),
sort_order: validator.toInt(req.query.sort_order)
}, function(err, rows, fields) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
} else {
res.json({
err: false,
result: rows
});
}
});
});
socket.on('message', function(message) {
socket.emit('msg_ack');
// Cleaning the message
message.body = xss_filter.inHTMLData(message.body).trim();
message.nick = users[socket.id].nick;
message.time = Math.floor(Date.now() / 1000);
// Sending the message to everyone
io.sockets.emit('new_message', message);
});
deck.blackCards = _.map(deckData.blackCards, function (card) {
var text = xssFilters.inHTMLData(card.text);
var draw = card.draw ? +card.draw : 1;
var pick = card.pick ? +card.pick : 1;
var toJSON = function () {
return {id: card.id, text: card.text, watermark: card.watermark, draw: card.draw, pick: card.pick};
};
var obj = {id: deck.id + (cardId++), draw: draw, pick: pick, text: text, watermark: deck.watermark};
obj.toJSON = function () {
return obj;
};
return obj;
});
function receiveMessage(message, noEvent) {
var msg = xssFilters.inHTMLData(message.message);
message.rawMessage = msg;
message.message = trustEmotesAsHTML(msg);
message.timestamp = new Date(message.timestamp);
var log = getChatRoom(message.room);
// Insert messages in sorted order (sorted by message id)
if (log.length === 0 || log[log.length - 1].id < message.id) {
log.push(message);
} else {
// performance likely isn't an issue, but since the log is
// sorted by id, it would be better to use a binary search
// here (also, use ES6 findIndex when available).
var insertIdx = 0;
while (log[insertIdx].id < message.id) {
insertIdx++;
}
if (log[insertIdx].id === message.id) {
// Same message id: Overwrite the logged message
log[insertIdx] = message;
} else {
// else insert it into the array (yeah, splice is far from
// efficient, but this should be very rare).
log.splice(insertIdx, 0, message);
}
}
// Don't let the log grow too large, or render performance
// tanks. There are better solutions to this perf issue, but
// this is quick to implement for now.
var maxLogSize = 80;
if (log.length > maxLogSize) {
log.splice(0, log.length - maxLogSize);
}
if (!$rootScope.userProfile ||
(message.player &&
message.player.steamid &&
$rootScope.userProfile.steamid !== message.player.steamid)) {
Notifications.titleNotification();
}
if (!noEvent) {
$rootScope.$emit('chat-message', message);
}
}
Protoset.prototype.generateFigure = function(ctx, blobstores, site, entity, options, next) {
var figSize = options['data-size'];
var figFloat = options['data-float'];
var title = options['data-title'];
var desc = options['data-desc'];
var url = site.sitePathToUrl(entity.path());
var caption = '';
if (!title) {
title = entity.summary.title;
}
if (title || desc) {
if (!desc) {
desc = '';
}
caption = '<figcaption><h3><a href="' + xssFilters.uriInDoubleQuotedAttr(url) +
'">' + xssFilters.inHTMLData(title) + '</a></h3>' +
xssFilters.inHTMLData(desc) + '</figcaption>';
}
var floatStr = '';
if (figFloat === 'left') {
floatStr = ' style="float: left;" ';
}
if (figFloat === 'right') {
floatStr = ' style="float: right;" ';
}
if (this._pages[entity._proto].hasOwnProperty('generateFigure')) {
return this._pages[entity._proto].generateFigure(ctx, blobstores, entity, options, function(err, figcontents) {
if (err) {
return next(err);
}
return next(null, '<figure' + floatStr + '><a href="' + url + '">' +
figcontents + "</a>" + caption + '</figure>');
});
} else {
return next(null, '<figure' + floatStr + '>' + xssFilters.inHTMLData(entity.summary.title) + caption + '</figure>');
}
};
router.post('/card', function(req, res, next) {
var cardIns = {
card_id: xssFilters.inHTMLData(req.body.id),
name: xssFilters.inHTMLData(req.body.name),
department: xssFilters.inHTMLData(req.body.department),
category: xssFilters.inHTMLData(req.body.category)
};
card.query(cardIns.card_id, function(err, rows, fields) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
return;
}
if (rows.length) {
res.json({
err: true,
msg: 'Card ID Conflict'
});
}
card.add(cardIns, function(err, result) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
} else {
res.json({
err: false,
msg: result
});
}
});
});
});
socket.on('new_message', function(message) {
// Checking message length
var n_ws_msg = message.trim();
if (n_ws_msg.length > 0) {
// Cleaning the message
var clean_message = xssFilters.inHTMLData(message),
message_data = {
message: clean_message,
sender: socket.request.user.google.name,
sender_pic: socket.request.user.google.prof_image,
sender_id: socket.request.user.google.id
}
// Sending the message along with other data to users
io.sockets.emit('new_message', message_data);
}
});
https.get("https://graph.facebook.com/"+req.body.fbid+"?access_token=1124095634309355|7fa9b6c3521add6e4d3b910e716db51c",function(response)
{
if (response.statusCode == 200) {
//console.log(body)
var fbID = xssFilters.inHTMLData(req.body.fbid);
UserVoted.findOne({fbid: fbID}, function(err, user) {
if (err) {
res.json({
type: false,
data: "Error occured: " + err
});
} else {
if (user) {
res.json({
type: false,
data: "You already voted"
});
} else {
//dont exist so we pass token to client localstorage
console.log(req.body.fbid);
token = jwt.sign(user, config.secret, {
expiresIn: '20m'
});
console.log(token);
res.json({
type: true,
data: 'authentication process done',
token: token
});
}
}
}); //.UserVoted
}else{
console.log(response.statusCode);
res.json({
type: false,
data: 'Bad Request'
});
}
}
.then((campground) => {
let newComment = {
comment: xssFilter.inHTMLData(req.body.comment),
author: req.user.username
};
Comment.create(newComment)
.then((comment) => {
comment.author.id = req.user._id;
comment.author.username = req.user.username;
comment.save();
campground.comments.push(comment);
campground.save();
user.comments.push(comment);
user.save();
req.flash('success', 'Comment successfuly created!');
return res.redirect(`/campgrounds/${campground._id}`);
});
})
socket.on('send message', function(data){
//- Sanitise message //
data.msg = xssFilters.inHTMLData(data.msg);
//- Update sender chat window //
users[data.senderSocketNickname].emit('new message', data);
//- If receiver is online //
if(data.receiverSocketNickname in users){
//- Save message in database with seen as true //
AM.sendMessage({ sender: data.sender, receiver: data.receiver, msg: data.msg, seen : true, timestamp: Math.floor(Date.now() / 1000)},
function(e, o){
if (e) callback (e)
else {
AM.updateMessageSession({ sender: data.sender, receiver: data.receiver, msg: data.msg, timestamp: Math.floor(Date.now() / 1000)},
function(e, obj){
if (e) callback (e)
else {
//- Update online status //
users[data.receiverSocketNickname].emit('online', data);
//- Send to receiver //
users[data.receiverSocketNickname].emit('new message', data);
}
});
}
});
}
else {
//- Save message in database with seen as false //
AM.sendMessage({sender: data.sender, receiver: data.receiver, msg: data.msg, seen : false, timestamp: Math.floor(Date.now() / 1000)},
function(e, o){
if (e) callback (e)
else {
AM.updateMessageSession({sender: data.sender, receiver: data.receiver, msg: data.msg, timestamp: Math.floor(Date.now() / 1000)},
function(e, obj){
if (e) callback (e)
else {
//- Update online status if receiver is offline //
users[data.senderSocketNickname].emit('offline', data);
}
});
}
});
}
});
function(err, model) {
if (err)
res.json({
type: false,
data: "Error occured: " + err
});
var userModel = new UserVoted();
userModel.fbid = xssFilters.inHTMLData(req.body.fbid);
userModel.save(function(err, user) {
res.json({
type: true,
data: 'Vote Updated!',
});
})
}
router.put('/auth/user/:cid', LoggedInRequired, jsonParser, (req, res) => {
const cid = req.params.cid;
const {fullname} = req.body;
const filteredFullname = inHTMLData(fullname);
const canWriteUsers = hasRestrictions(req, Restrictions.WRITE_USERS);
if (cid != req.session.user.cid && !canWriteUsers) {
res.status(403).end();
Logger.warn(`User ${req.session.user.cid} had insufficient permissions to write another users data`);
return;
}
const updated = {
fullname: filteredFullname
};
if (_.has(req.body, 'role')) {
if (!canWriteUsers) {
res.status(403).end();
Logger.warn(`User ${req.session.user.cid} had insufficient permissions to change another users role`);
return;
}
updated.role = _.get(req.body, 'role', 'None');
}
User.findOneAndUpdate({ cid: cid }, { $set: updated }, (err) => {
if (err) {
res.status(500).send(err);
throw err;
}
// Update current User object
if (req.session.user.cid === cid) {
_.merge(req.session.user, updated);
}
updateAuthorOfImagesUploadedByCid(cid, filteredFullname);
res.status(202).end();
});
});
router.get('/record/list', function(req, res, next) {
var validatedId = xssFilters.inHTMLData(req.query.id);
if (!validatedId) {
res.json({
err: true,
msg: 'Invalid Card ID'
});
}
card.query(validatedId, function(err, rows, fields) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
return;
}
if (!rows.length) {
res.json({
err: true,
msg: 'No such card'
});
return;
}
record.list(validatedId, function(err, rows, fields) {
if (err) {
res.json({
err: true,
msg: 'Error ' + err.errno + ': ' + err.code
});
} else {
for (var i = rows.length - 1; i >= 0; i -= 1) {
rows[i].remain_time = moment(rows[i].return_date).fromNow();
}
res.json({
err: false,
result: rows
});
}
});
});
});
socket.on('msg send', function(msg){
msg = xssFilters.inHTMLData(msg);
name = namestore[socket.id].name;
console.log('message: ' + msg);
socket.json.emit('msg push', {
msg: msg,
name: name
});
socket.json.broadcast.emit('msg push', {
msg: msg,
name: name
});
// Save to DB
var chatdata = new Chat();
chatdata.message = msg;
chatdata.date = new Date();
chatdata.name = namestore[socket.id].name;
chatdata.save(function(err) {
if (err) { console.log(err); }
});
});